Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Text File


  • Please log in to reply
5 replies to this topic

#1 ATGUNWAT

ATGUNWAT

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:32 AM

Posted 30 January 2011 - 06:28 AM

I found a very suspicious looking text file on my hard drive.
Looks like some sort of log file. (and I don't like some of the names I saw in it)

I uploaded it to virus total and received 0/43 hits, but I am still somewhat concerned.


File location was: C:\Windows\System32\temp.txt


This is a sample:



Declarations
{
/* Path */
Create $PATH_GENERAL_MALWARE as LIST(PRL_STRING);
Create $PATH_DOWNLOADED_PROGRAM_FILES as LIST(PRL_STRING);
Create $PATH_DOWNLOADED_PROGRAM_FILES_EXCLUSIONS as LIST(PRL_STRING);
Create $PATH_COMMON_EXECUTE_APPLICATIONS as LIST(PRL_STRING);



/* Network server Applications */
Create $APP_SERVERS_DNS as LIST(PRL_STRING);
Create $APP_SERVERS_NETWORK as LIST(PRL_STRING);
Create $APP_SERVERS_SQL as LIST(PRL_STRING);
Create $APP_SERVERS_MAIL as LIST(PRL_STRING);
Create $APP_SERVERS_WEB as LIST(PRL_STRING);

/* Network client applications */
Create $APP_WEB_NAVIGATORS as LIST(PRL_STRING);
Create $APP_CLIENTS_NETWORK as LIST(PRL_STRING);
Create $APP_CLIENTS_EMAIL as LIST(PRL_STRING);
Create $APP_CLIENTS_IM as LIST(PRL_STRING);

/* Desktop Applications */
Create $APP_MULTIMEDIA_PLAYERS as LIST(PRL_STRING);
Create $APP_WINDOWS_MEDIA_PLAYER as LIST(PRL_STRING);
Create $PATH_APP_MULTIMEDIA_PLAYERS_EXCLUSIONS as LIST(PRL_STRING);

/* Microsoft System Applications */
Create $APP_MICROSFT_SYSTEM as LIST(PRL_STRING);
Create $APP_OTHERS_WINDOWS as LIST(PRL_STRING);

/* Compressors */
Create $APP_COMPRESSORS as LIST(PRL_STRING);

/* Office Applications */
Create $APP_PDF as LIST(PRL_STRING);
Create $APP_PDF_EXCLUSIONS as LIST(PRL_STRING);

Create $APP_MICROSOFT_WORD as LIST(PRL_STRING);
Create $APP_MICROSOFT_EXCEL as LIST(PRL_STRING);
Create $APP_MICROSOFT_POWERPOINT as LIST(PRL_STRING);
Create $APP_MICROSOFT_OTHERS as LIST(PRL_STRING);

Create $APP_OPENOFFICE as LIST(PRL_STRING);

/*Debug Applications*/
Create $APP_DEBUG as LIST(PRL_STRING);

/* Command line aplications */
Create $APP_SHELL as LIST(PRL_STRING);

/* Text Editor */
Create $APP_EDITORS_TEXT as LIST(PRL_STRING);

/* malware */
Create $MALWARE_LINEAJE as LIST(PRL_STRING);
Create $MALWARE_VIKINS as LIST(PRL_STRING);
Create $MALWARE_BEAGLE as LIST(PRL_STRING);
Create $MALWARE_ROUGE as LIST(PRL_STRING);
Create $MALWARE_KEYLOGGER as LIST(PRL_STRING);

/*Rootkit*/
Create $ROOTKIT_TDSS as LIST(PRL_STRING);

/* Others */
Create $OTHERS_DANGEROUS_EXTENSIONS as LIST(PRL_STRING);
Create $OTHERS_WINAMP_PLUGINGS as LIST(PRL_STRING);



}

Assignments
{
/* Path */
$PATH_DOWNLOADED_PROGRAM_FILES = ("",
"");




$PATH_DOWNLOADED_PROGRAM_FILES_EXCLUSIONS =
("",
"",
"",
"",
"",
"",
"",


That is less than 5% of the entire file.

I did a search for a couple of lines from the document and got nothing.
Only when I shortened it up to just a few words, did I get any results, and they were only relevant to some of the names mentioned, not the actual file. (or it's unexpected location)

Has anyone else seen anything like it?

ATGUNWAT <--- it's an acronym... (All The Good User Names Were Already Taken)

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:32 AM

Posted 06 February 2011 - 08:34 PM

Hello.

Not positive what that is, but you should be able to delete the file without any issues.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:32 AM

Posted 07 February 2011 - 05:25 AM

Hey SG,

Thanks for the reply.

I could delete it, but I will go ahead and hold on to it for now.

If you ever do get any info on the file, or maybe others similar to it, I would be interested in knowing what you find out.

Thanks again,

ATGUNWAT

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 07 February 2011 - 01:49 PM

This is a case where the file name is of no help. You can only investigate by its content.

I tried using the line Create $ROOTKIT_TDSS as LIST(PRL_STRING) and received one hit here in what looks to be a document from PandaLabs support. Scrolling through it shows similar entries to the other ones you listed.

Edited by quietman7, 07 February 2011 - 01:50 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ATGUNWAT

ATGUNWAT
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:32 AM

Posted 07 February 2011 - 03:38 PM

This is a case where the file name is of no help. You can only investigate by its content.

I tried using the line Create $ROOTKIT_TDSS as LIST(PRL_STRING) and received one hit here in what looks to be a document from PandaLabs support. Scrolling through it shows similar entries to the other ones you listed.




Hey, that's it...

So, it is a panda log.
That's a lot better than what I was thinking.
Heuristics rules, maybe? (I'm guessing)

Thanks Quietman.
Don't know how I missed that.
I did Google that very line.
Anyway, thanks for the 411, that's a load off my mind.
Case Closed.

ATGUNWAT

Edited by ATGUNWAT, 07 February 2011 - 03:41 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 08 February 2011 - 07:53 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users